Mac Forensic Part 3 (Filesystem)

Supported Filesystem in Mac OS X

HFS Plus or HFS+ is a file system developed by Apple Inc and is the primary file system used in Macintosh computers. Another version of HFS Plus called HFSX is introduced in OS X 10.3.

MAC OS X support the following filesystem:

  • Read/Write:
    • Mac OS X Extended (Journaled)
    • Mac OS X Extended (Journaled, Encrypted)
    • Mac OS X Extended (Case-sensitive, Journaled)
    • Mac OS X Extended (Case-sensitive, Journaled, Encrypted)
    • MS-DOS (FAT)
    • ExFat
  • Read Only:
    • NTFS

Partition in OS X

There are 3 choices of partitioning in OS X:

  • GUID Partition Table (GPT), primarily used in Intel-based Mac. GPT uses Extensible Firmware Interface (EFI) in place of a BIOS
  • Apple Partition Map, mainly used in PowerPC based MAC
  • Master Boot Record (MBR) for Windows compatibility system

000

Files in HFS are made up of 2 parts; data fork and resource fork. Data fork contains the actual data of the file. Resource fork contain information of the file. Resource fork may contain icon, metadata, preferences and application code. Volumes in HFS are divided into 512-byte logical blocks. A group of 8 blocks is known as an allocation block.

Like NTFS, HFS also use metadata files to keep track of the volume:

  • Volume header: information of the volume; total files, size of allocation table, number of allocation block and write-protected status.
  • Catalog File: keep track of folders and files on the volume
  • Extents overflow: hold the location of the extents that are greater than 8.
  • Allocation File: keep track of the allocation block on a volume
  • Attributes File: Used to store extended metadata attributes and additional files’ forks.

Folders in OS X

The key folders are as follows:

  • Applications/: Default folder for applications
  • Library/: Contained OS X files and supported operating system items for system global functionality and apply to all users. Network/: Network domain, open directory or active directory
  • System/: Reserved for OS X System files and contained items such as system setup and functionality of the system
  • Users/: Home folders for local users. There will also be a “Public” folder for sharing of files between users.
  • .DocumentRevisions/: Contain files of previous versions of documents. (Root access only)
  • .fseventsd/: Logging of filesystem events. (Root access only)
  • .Trashes (Empty)
  • mach_kernel:  OS X Mach kernel
  • etc or private/etc/: Configurations and other system files
  • private/sbin/: Linux-styled binaries for admin
  • var/ or private/var
  • Volumes/: Mounted devices such as harddisk, CD, DMG and USB drives.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s